Technology, for all its advantages in today’s world, can also be scary. As easy as it is to pay for an item with a credit card online, more and more hackers are finding ways to access that same card for their own dastardly purposes.
That’s where folks like Mike Weiss come in. The City of Midlothian Director of Information Technology has some advice for folks to put them more at ease and protect them from becoming victims.
Weiss has over 25 years of experience in Information Technology and 17 years in local government. He specializes in Cyber Security, focusing on blue team (or defensive) operations.
In 2007, Weiss achieved his CISSP (Certified Information Systems Security Professional) certification, and in 2012, he completed his Masters of Science in Information Security Engineering. Additionally, he holds several certifications in Information Security operations, including Windows Defenses, Industrial Security Systems, Defensible Architecture, Enterprise Defense, Incident Handling, and Intrusion Analysis.
Weiss has been with the City of Midlothian since 2009.
FDN: What’s the best advice you can give someone to ensure their information is safe?
MW: The best practice is to form good password habits. Almost everyone uses an account these days, and they involve using a password to authenticate your identity. Using a password manager – such as LastPass, Keeper Security or Dashlane – to hold your passwords in an encrypted vault and taking advantage of their automatic password creation tools can greatly improve your information security. Most include browser plugins or mobile phone apps to access your account easily and can autofill your passwords. They are a rare instance of a security improvement that is also more convenient.
I generally recommend starting small with a few passwords that you use often and then slowly expand as you get more comfortable with the process and the way the password manager works. Most password managers also come with additional tools to check whether your password was found in a hack and they can recommend which passwords need to be replaced, improved or, in some cases, can even do the password reset themselves from within the manager.
In addition, multi-factor authentication (MFA) has been gaining a lot of traction lately. In this method, you provide a password and a code that’s emailed, texted, or sent from an app on your phone. This is also a great improvement in personal security, as you must have access to the additional code in order to log in.
FDN: What is the most common – and probably most dangerous – thing folks should look out for regarding cyber security?
MW: An issue I run across daily is people clicking on links in questionable emails. A lot of times, it’s a non-issue, but it’s an incredibly dangerous habit to form. We spend a lot of time training our users to be wary of emails from unknown sources or even a known source you aren’t expecting.
Malicious emails, called “phishing” attacks, attempt to get a user to click on a link that looks like it’s from your bank or a tracking number for a package. Usually, this is tied to a sense of urgency, such as an account getting locked or losing the package if you don’t act immediately.
Once clicked, the link will go to a fake site that looks like your bank or social media site and attempt to get you to log in, providing the attackers with your credentials. Or, the link will download a malicious file and attempt to install malware on your computer, which will usually provide access to your computer and give the attacker a lot of access to your life.
FDN: What changes have you seen in internet security since you joined the City of Midlothian 15 years ago?
MW: The sheer expansion of devices connected to the internet over the past 15 years is just amazing. That has led to a whole host of devices that are now vulnerable to hacking because they’re accessible to anyone in the world. Unfortunately, a lot of the companies responsible for updating and securing these devices aren’t always the most diligent at finding vulnerabilities and fixing them.
FDN: Have you personally experienced any sort of hack from which you can share the experience? If so, what did you learn?
MW: I’ve been fortunate in my career only to have been directly involved in minor incidents. Almost all of these have started with a user who is careless when opening an email attachment or clicking on a malicious link. As a rule, I take a layered approach with my cyber security program, called Defense-In-Depth. This means utilizing multiple overlapping tools to secure the City of Midlothian’s systems. In each incident, at least one of those tools has stopped the hack from going from a minor issue to a major incident.
Over the years, I’ve learned that maintaining a certain level of awareness of what you’re clicking on goes a long way. It’s difficult in this age of constant popups or alerts vying for our attention, but paying attention to what you click on will prevent a lot of headaches.
FDN: Elderly people seem to be large targets of hacking. What seems to be the most common scam and what advice do you have?
MW: Aside from the slew of phishing emails out there, I’ve seen a lot of “vishing” attacks. These are where someone will call your phone and say they’re from Microsoft, the FBI, or another reputable company and claim they’ve found a virus or other problem with your computer. Further, they will ask the person to go to a website and install software to allow them to clean your computer for you as a service.
As with most things, if it seems to be too good to be true, it probably is. Microsoft and the FBI aren’t calling random people offering to clean their computers for them. As with phishing, this is generally tied to a sense of urgency to push someone to act without thinking.
FDN: What role does the city play in helping folks be safe from hacking?
MW: While the city has no ability to protect privacy or security of personal devices used by private citizens, every effort is made to ensure the security of city systems and devices in order to protect personal information provided through transactions the city has with individuals or companies.
FDN: Is there a way to stay one step ahead of the hackers instead of vice-versa?
MW: Unfortunately, there isn’t a way to stay ahead of hackers as new methods are being developed all the time and cyber defense has to react to the new attacks that are being delivered. However, by staying vigilant with how you use technology, moderating what you put out in public spaces such as social media, and staying critical with clicking on links in emails, you can mitigate a lot of the access that hackers require.
It’s difficult to attack a system from outside, which is why so many attacks rely on users clicking on links in emails or on compromised websites. Denying them that action and that “in” to your computer puts you out of reach for most hackers.
FDN: Any additional thoughts/comments?
MW: It doesn’t take really any technical knowledge or special training to keep an eye out for things that are too good to be true or just seem a little off. Living in the digital world that we find ourselves in requires not only a healthy level of awareness but also a level of skepticism that doesn’t always come naturally to everyone.
We tend to naturally trust others and we really want that special deal that landed in our email box to be true. Unfortunately, it’s probably a scam and simply deleting the email and moving on is usually the best option.